Fileless attacks: How attackers evade traditional AV and how to stop them
When you hear about malware, there’s a good chance you think of sketchy executables or files with extensions like .DOCX or .PDF that, once opened, execute malicious code. These are examples of file-based attacks—and while they can be bad, they’re nothing compared to their fileless cousins.
As the name suggests, fileless attacks don’t rely on traditional executable files to get the job done but rather in-memory execution, which helps them evade detection by conventional security solutions.
In this post, we’ll explore topics like how fileless attacks work, why they’re effective, and what you can do to find and block fileless threats.
Fileless attacks explained
In contrast to file-based attacks that execute the payload in the hard drive, fileless attacks execute the payload in Random Access Memory (RAM). Executing malicious code directly into memory instead of the hard drive has several benefits, such as:
- Evasion of traditional security measures: Fileless attacks bypass antivirus software and file signature detection, making them difficult to identify using conventional security tools.
- Increased potential for damage: Since fileless attacks can operate more stealthily and with greater access to system resources, they may be able to cause more damage to a compromised system than file-based attacks.
- Memory-based attacks can be difficult to remediate: Since fileless attacks don’t create files, they can be more challenging to remove from a system once they have been detected. This can make it extra difficult for forensics to trace an attack back to the source and restore the system to a secure state.
Fileless attacks vs Living-off-the-land (LOTL) attacks
If you read our article on LOTL attacks, you may be confused: Aren’t fileless attacks and LOTL attacks the same thing? Well, yes and no.
LOTL attacks are anytime an attacker leverages legitimate tools to evade detection, steal data, and more, while fileless attacks refer purely to executing code directly into memory. While both types of attacks often overlap, they are not synonymous.
Think of fileless attacks as an occasional subset of LOTL attacks. Fileless attacks can and often do leverage LOTL techniques to execute payload into memory, but they can also do so without leveraging a legitimate system tool or process at all.
Malwarebytes Exploit Protection can effectively block many fileless attacks by monitoring and reinforcing application behavior, hardening applications, and ensuring advanced memory protection.
To configure Exploit Protection Advanced settings, follow these steps:
- Go to Configure > Policies in Nebula.
- Select a policy and navigate to Protection settings > Advanced settings > Anti-exploit settings.
Exploit Protection settings in a policy in Malwarebytes EDR.
Here’s an overview of the protection layers offered by Malwarebytes EDR Exploit Protection:
- Application Hardening: By enforcing security measures like DEP and ASLR, and disabling potentially vulnerable components like Internet Explorer VB Scripting, Application Hardening reduces the attack surface and makes it more difficult for fileless malware to exploit weaknesses in applications.
- Advanced Memory Protection: This layer prevents fileless malware from executing payload code in memory by detecting and blocking techniques such as DEP bypass, memory patch hijacking, and stack pivoting, thereby stopping the attack before it can cause harm.
- Application Behavior Protection: This layer also detects and blocks exploits that do not rely on memory corruption, such as Java sandbox escapes or application design abuse exploits. Options include Malicious LoadLibrary Protection, Protection for Internet Explorer VB Scripting, Protection for MessageBox Payload, and protection against various Microsoft Office macro exploits.
- Java Protection: These settings protect against exploits commonly used in Java programs. By guarding against Java-specific exploits, such as web-based Java command execution and Java Meterpreter payloads, Java Protection can effectively prevent fileless attacks that leverage Java vulnerabilities to infiltrate systems and execute malicious code.
Fighting fileless threats with Malwarebytes EDR: Configuring Suspicious Activity Monitoring in Nebula
Malwarebytes Endpoint Detection and Response (EDR) offers an effective solution to detect and mitigate fileless malware threats by monitoring potentially malicious behavior on endpoints. The Suspicious Activity Monitoring feature in Nebula uses machine learning models and cloud-based analysis to detect questionable activities. In this section, we will outline how to configure Suspicious Activity Monitoring in Nebula.
To enable Suspicious Activity Monitoring in your policy:
- Log in to your Nebula console.
- Navigate to Configure > Policies.
- Click “New” or select an existing policy.
- Choose the “Endpoint Detection and Response” tab.
- Locate “Suspicious Activity Monitoring” and enable it for the desired operating systems.
Advanced Settings offer additional options for activity monitoring. To configure these settings:
- In the same “Endpoint Detection and Response” tab, find the “Advanced Settings” section.
- Enable “Server operating system monitoring for suspicious activity” to extend monitoring to server operating systems.
- Enable “Very aggressive detection mode” to apply a tighter threshold for flagging processes as suspicious.
- Toggle “Collect networking events to include in searching” to ON (default) or OFF, depending on your preference. Turning it OFF decreases traffic sent to the cloud.
Flight Recorder Search
Flight Recorder Search collects all endpoint events within its search functionality. By configuring Suspicious Activity Monitoring in Malwarebytes EDR through the Nebula platform, you can effectively counter fileless malware threats by monitoring processes, registry, file system, and network activity on the endpoint.
Respond to fileless attacks quickly and effectively
Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to fileless attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection.